Version Description
- Fixed issue where contributors and subscribers could see posts in the backend.
- Fixed Persistent XSS via display name when avatar is displayed.
Download this release
Release Info
| Developer | Collizo4sky |
| Plugin |  WP User Avatar |
| Version | 2.2.11 |
| Comparing to | |
| See all releases | |
Code changes from version 2.2.10 to 2.2.11
includes/class-wp-user-avatar-functions.php
CHANGED
|
@@ -440,6 +440,8 @@ class WP_User_Avatar_Functions {
|
|
| 440 |
$alt = apply_filters('wpua_default_alt_tag',__("Avatar",'wp-user-avatar'));
|
| 441 |
}
|
| 442 |
|
|
|
|
|
|
|
| 443 |
|
| 444 |
$avatar = str_replace('gravatar_default','',$avatar);
|
| 445 |
if(is_object($id_or_email)) {
|
|
@@ -625,6 +627,11 @@ class WP_User_Avatar_Functions {
|
|
| 625 |
$alt = $user->display_name;
|
| 626 |
}
|
| 627 |
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 628 |
// Checks if user has WPUA
|
| 629 |
$wpua_meta = get_the_author_meta($wpdb->get_blog_prefix($blog_id).'user_avatar', $email);
|
| 630 |
// Add alignment class
|
| 440 |
$alt = apply_filters('wpua_default_alt_tag',__("Avatar",'wp-user-avatar'));
|
| 441 |
}
|
| 442 |
|
| 443 |
+
$alt = esc_attr($alt);
|
| 444 |
+
$size = esc_attr($size);
|
| 445 |
|
| 446 |
$avatar = str_replace('gravatar_default','',$avatar);
|
| 447 |
if(is_object($id_or_email)) {
|
| 627 |
$alt = $user->display_name;
|
| 628 |
}
|
| 629 |
}
|
| 630 |
+
|
| 631 |
+
|
| 632 |
+
$alt = esc_attr($alt);
|
| 633 |
+
$size = esc_attr($size);
|
| 634 |
+
|
| 635 |
// Checks if user has WPUA
|
| 636 |
$wpua_meta = get_the_author_meta($wpdb->get_blog_prefix($blog_id).'user_avatar', $email);
|
| 637 |
// Add alignment class
|
includes/class-wp-user-avatar-subscriber.php
CHANGED
|
@@ -47,12 +47,8 @@ class WP_User_Avatar_Subscriber {
|
|
| 47 |
global $blog_id, $wpdb, $wpua_allow_upload, $wpua_edit_avatar;
|
| 48 |
$wp_user_roles = $wpdb->get_blog_prefix($blog_id).'user_roles';
|
| 49 |
$user_roles = get_option($wp_user_roles);
|
| 50 |
-
if((bool) $wpua_allow_upload == 1 && (bool) $wpua_edit_avatar == 1) {
|
| 51 |
-
$user_roles['subscriber']['capabilities']['edit_posts'] = true;
|
| 52 |
-
} else {
|
| 53 |
if(isset($user_roles['subscriber']['capabilities']['edit_posts'])){
|
| 54 |
unset($user_roles['subscriber']['capabilities']['edit_posts']);
|
| 55 |
-
}
|
| 56 |
}
|
| 57 |
update_option($wp_user_roles, $user_roles);
|
| 58 |
}
|
| 47 |
global $blog_id, $wpdb, $wpua_allow_upload, $wpua_edit_avatar;
|
| 48 |
$wp_user_roles = $wpdb->get_blog_prefix($blog_id).'user_roles';
|
| 49 |
$user_roles = get_option($wp_user_roles);
|
|
|
|
|
|
|
|
|
|
| 50 |
if(isset($user_roles['subscriber']['capabilities']['edit_posts'])){
|
| 51 |
unset($user_roles['subscriber']['capabilities']['edit_posts']);
|
|
|
|
| 52 |
}
|
| 53 |
update_option($wp_user_roles, $user_roles);
|
| 54 |
}
|
includes/class-wp-user-avatar.php
CHANGED
|
@@ -193,9 +193,6 @@ class WP_User_Avatar {
|
|
| 193 |
</p>
|
| 194 |
<p id="<?php echo ($user == 'add-new-user') ? 'wpua-remove-button' : 'wpua-remove-button-existing' ?>" class="<?php echo $hide_remove; ?>">
|
| 195 |
<button type="button" class="button" id="<?php echo ($user == 'add-new-user') ? 'wpua-remove' : 'wpua-remove-existing' ?>" name="wpua-remove"><?php _e('Remove Image', 'wp-user-avatar'); ?></button>
|
| 196 |
-
<?php if ((bool)$wpua_edit_avatar == 1 && ! $wp_user_avatar->wpua_is_author_or_above() && has_wp_user_avatar($current_user->ID) && $wp_user_avatar->wpua_author($wpua, $current_user->ID)) : // Edit button ?>
|
| 197 |
-
<span id="<?php echo ($user == 'add-new-user') ? 'wpua-edit-attachment' : 'wpua-edit-attachment-existing' ?>"><a href="<?php echo $edit_attachment_link; ?>" class="edit-attachment" target="_blank"><?php _e('Edit Image', 'wp-user-avatar'); ?></a></span>
|
| 198 |
-
<?php endif; ?>
|
| 199 |
</p>
|
| 200 |
<p id="<?php echo ($user == 'add-new-user') ? 'wpua-undo-button' : 'wpua-undo-button-existing' ?>">
|
| 201 |
<button type="button" class="button" id="<?php echo ($user == 'add-new-user') ? 'wpua-undo' : 'wpua-undo-existing' ?>" name="wpua-undo"><?php _e('Undo', 'wp-user-avatar'); ?></button>
|
| 193 |
</p>
|
| 194 |
<p id="<?php echo ($user == 'add-new-user') ? 'wpua-remove-button' : 'wpua-remove-button-existing' ?>" class="<?php echo $hide_remove; ?>">
|
| 195 |
<button type="button" class="button" id="<?php echo ($user == 'add-new-user') ? 'wpua-remove' : 'wpua-remove-existing' ?>" name="wpua-remove"><?php _e('Remove Image', 'wp-user-avatar'); ?></button>
|
|
|
|
|
|
|
|
|
|
| 196 |
</p>
|
| 197 |
<p id="<?php echo ($user == 'add-new-user') ? 'wpua-undo-button' : 'wpua-undo-button-existing' ?>">
|
| 198 |
<button type="button" class="button" id="<?php echo ($user == 'add-new-user') ? 'wpua-undo' : 'wpua-undo-existing' ?>" name="wpua-undo"><?php _e('Undo', 'wp-user-avatar'); ?></button>
|
readme.txt
CHANGED
|
@@ -4,7 +4,7 @@ Contributors: properfraction, collizo4sky
|
|
| 4 |
Tags: user profile, avatar, gravatar, author image, author photo, author avatar, bbPress, profile avatar, profile image, user avatar, user image, user photo, widget
|
| 5 |
Requires at least: 4.0
|
| 6 |
Tested up to: 5.6
|
| 7 |
-
Stable tag: 2.2.
|
| 8 |
License: GPLv2 or later
|
| 9 |
License URI: http://www.gnu.org/licenses/gpl-2.0.html
|
| 10 |
|
|
@@ -370,6 +370,10 @@ This would output:
|
|
| 370 |
|
| 371 |
== Changelog ==
|
| 372 |
|
|
|
|
|
|
|
|
|
|
|
|
|
| 373 |
= 2.2.10 =
|
| 374 |
* Fixed: Warning: Missing argument 2 for WP_User_Avatar.
|
| 375 |
* Re-added support for hook implementation eg on wp frontend.
|
| 4 |
Tags: user profile, avatar, gravatar, author image, author photo, author avatar, bbPress, profile avatar, profile image, user avatar, user image, user photo, widget
|
| 5 |
Requires at least: 4.0
|
| 6 |
Tested up to: 5.6
|
| 7 |
+
Stable tag: 2.2.11
|
| 8 |
License: GPLv2 or later
|
| 9 |
License URI: http://www.gnu.org/licenses/gpl-2.0.html
|
| 10 |
|
| 370 |
|
| 371 |
== Changelog ==
|
| 372 |
|
| 373 |
+
= 2.2.11 =
|
| 374 |
+
* Fixed issue where contributors and subscribers could see posts in the backend.
|
| 375 |
+
* Fixed Persistent XSS via display name when avatar is displayed.
|
| 376 |
+
|
| 377 |
= 2.2.10 =
|
| 378 |
* Fixed: Warning: Missing argument 2 for WP_User_Avatar.
|
| 379 |
* Re-added support for hook implementation eg on wp frontend.
|
wp-user-avatar.php
CHANGED
|
@@ -5,7 +5,7 @@ Plugin URI: http://wordpress.org/plugins/wp-user-avatar/
|
|
| 5 |
Description: Use any image from your WordPress Media Library as a custom user avatar. Add your own Default Avatar.
|
| 6 |
Author: ProfilePress
|
| 7 |
Author URI: https://profilepress.net/
|
| 8 |
-
Version: 2.2.
|
| 9 |
Text Domain: wp-user-avatar
|
| 10 |
Domain Path: /lang/
|
| 11 |
*/
|
|
@@ -33,7 +33,7 @@ class WP_User_Avatar_Setup {
|
|
| 33 |
* @since 1.9.2
|
| 34 |
*/
|
| 35 |
private function _define_constants() {
|
| 36 |
-
define('WPUA_VERSION', '2.2.
|
| 37 |
define('WPUA_FOLDER', basename(dirname(__FILE__)));
|
| 38 |
define('WPUA_DIR', plugin_dir_path(__FILE__));
|
| 39 |
define('WPUA_INC', WPUA_DIR.'includes'.'/');
|
| 5 |
Description: Use any image from your WordPress Media Library as a custom user avatar. Add your own Default Avatar.
|
| 6 |
Author: ProfilePress
|
| 7 |
Author URI: https://profilepress.net/
|
| 8 |
+
Version: 2.2.11
|
| 9 |
Text Domain: wp-user-avatar
|
| 10 |
Domain Path: /lang/
|
| 11 |
*/
|
| 33 |
* @since 1.9.2
|
| 34 |
*/
|
| 35 |
private function _define_constants() {
|
| 36 |
+
define('WPUA_VERSION', '2.2.11');
|
| 37 |
define('WPUA_FOLDER', basename(dirname(__FILE__)));
|
| 38 |
define('WPUA_DIR', plugin_dir_path(__FILE__));
|
| 39 |
define('WPUA_INC', WPUA_DIR.'includes'.'/');
|
